Effective since July 1st 2003, CA Senate Bill 1386 mandates all public or private agencies that conduct business in California to provide notification if there is a security breach to the electronic database containing personal information of any California resident. Section 2 (d) states that breach of the security of the system means “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business”.

The statute defines personal information as first name or first initial and last name in combination of one or more of the following: social security number, driver’s license number or California Identification Card number, accounting number, credit or debit card number, in combination with any required security code/access code/password that would permit access to an individual’s financial account. The purpose of the bill is to protect possible identify theft, and it was expanded in 2008 with Assembly Bill 1298, to include medical records and health insurance information under  the umbrella of “personal information” as well. This law applies to all businesses maintaining medical information, even if they are not health care providers under the Confidentiality of Medical Information Act (CIMA).

Why does it matter?

California’s data breach notification law was the first in the nation. Since then, it has inspired similar laws in over 40 other states with the exceptions of Alabama, Kentucky, Mississippi, Missouri, New Mexico and South Dakota. So unless you only do business with residents of these few exceptional states, chances are the data breach notification law matters to you.

See the full text of CA SB 1386 here.

What preventive steps you can take?

To avoid violation of the data breach notification law is to take preventive measures; here are some best practices to get started: